Accessing Active Directory using current user context with impersonation switched on

I am trying to create a self service page for our internal users to manage their own file access by adding/removing users from AD security groups.

I would like the site to run under the context of the user accessing the page as we already have all of the security set up in AD.

I have switched on Windows authentication (Negotiate and NTLM in that order), disabled Anonymous and enabled impersonation in IIS 7.5 as authenticated user. The site now runs under the context of the user accessing the page (I have tested this using System.Security.Principal.WindowsIdentity.GetCurrent().Name).

If I run the site in a browser on the webserver it works fine however when I run from a remote browser it returns an exception when trying to run the following code to retrieve the security groups of the current logged on user.

private void GetGroups()
    {
        // establish domain context
        PrincipalContext yourDomain = new PrincipalContext(ContextType.Domain, "mydomain.com");
        PrincipalSearchResult<Principal> groups = UserPrincipal.Current.GetGroups();

        // if found - grab its groups
        if (groups != null)
        {
            // iterate over all groups
            foreach (Principal p in groups)
            {
                if (p.Name.Contains("OWNER"))
                {
                    if (p is GroupPrincipal)
                    {
                        if (p.Name.Split('_').Length <= 5)
                        {
                            lb_folder.Items.Add(p.Name.Split('_')[3]);
                        }
                        else
                        {
                            lb_folder.Items.Add(p.Name.Split('_')[3] + "_" + p.Name.Split('_')[4]);
                        }
                    }       
                }
            }
        }
    }

Exception:

Exception Details: System.DirectoryServices.DirectoryServicesCOMException: An operations error occurred.

Stack Trace:

[DirectoryServicesCOMException (0x80072020): An operations error occurred.
]
   System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) +596521
   System.DirectoryServices.DirectoryEntry.Bind() +44
   System.DirectoryServices.DirectoryEntry.get_AdsObject() +42
   System.DirectoryServices.PropertyValueCollection.PopulateList() +29
   System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName) +63
   System.DirectoryServices.PropertyCollection.get_Item(String propertyName) +163
   System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInitNoContainer() +495517
   System.DirectoryServices.AccountManagement.PrincipalContext.DoDomainInit() +51
   System.DirectoryServices.AccountManagement.PrincipalContext.Initialize() +161
   System.DirectoryServices.AccountManagement.PrincipalContext.get_QueryCtx() +42
   System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper(PrincipalContext context, Type principalType, Nullable`1 identityType, String identityValue, DateTime refDate) +29
   System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithType(PrincipalContext context, Type principalType, IdentityType identityType, String identityValue) +146
   System.DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity(PrincipalContext context, IdentityType identityType, String identityValue) +44
   System.DirectoryServices.AccountManagement.UserPrincipal.get_Current() +443
   _Default.GetGroups() in c:\inetpub\wwwroot\WebSite1\Owner_fileaccess.aspx.cs:340
   _Default.Button1_Click1(Object sender, EventArgs e) in c:\inetpub\wwwroot\WebSite1\Owner_fileaccess.aspx.cs:468
   System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) +155
   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +3804

I read that this may be down to Kerberos authentication not being used so I checked the headers using Fiddler which shows:

Header:

WWW-Authenticate: Negotiate oYG3MIG0oAMKAQChCwYJKoZIgvcSAQICooGfBIGcYIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRv8lZ872B9I6o1oV46zsl4rGFc4TZetqAXZT8VrTvMRw9ClbgTOkqlSYB6PcXxgu7Upn4UeIIEc2doa8bpd4326UitjZaU/cB021ALsaCXpGW6/wLN75pvI/tT6HrlmAuSEOsVnwZJCyR1HpS7UyKU

Auth:

No Proxy-Authenticate Header is present.

WWW-Authenticate Header (Negotiate) appears to be a Kerberos reply:

No idea why but this just started working today without any changes.

The only thing I can think of is that the "Trust this computer for delegation" setting I applied in AD took a while to replicate?